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Verification  of  Link-Level  Protocols 


by  Donald  E.  Knuth 


Abstract. '-Stein  Krogdahl  (1}  has  given  an  interesting  demonstration  of  the  partial  cor¬ 
rectness  of  :i  ^protocol  skeleton*,  by  which  the  validity  of  the  essential  aspects  of  a  1 '.rgc 
variety  of  dita  transmission  schemes  can  be  demonstrated.  The  purpose  of  this  note  is 
to  present  a  simpler  way  to  obtain  the  same  results,  by  first  establishing  the  validity  of  a 
less  efficient  skeleton  and  then  Optimizing*  the  algorithms.  The  present  approach,  which 
was  introduced  for  a  particular  protocol  by  N.  V.  Stenning  [£fy,  also  solves  a  widf>r  class  of 
problems  that  do  not  require  first- in-first-out  transmissions.^,-— 


1.  Introduction. 

Alice  wants  to  send  messages  Mo  Mt  M2  ...  to  Bill  over  noisy  transmission  lines.  They 
decide  to  handle  the  problem  in  the  following  way:  Alice  keeps  a  local  variable 

A  =  the  number  of  consecutive  messages  that  Alice  is  sure  Bill  has  received  and 
stored; 

Bill  keeps  a  local  variable 

B  =  the  number  of  consecutive  messages  that  Bill  is  sure  he  has  received  and  stored. 
Initially  A  =  B  =  0;  we  ignore  problems  of  termination,  since  this  can  be  dealt  with  as 
in  [1].  Alice  does  two  types  of  operations: 

Al.  Send  message  M,,  where  j  is  an  integer  in  the  range  A  <  j  <  A  -j-  k. 

A2.  Receive  an  acknowledgment  ‘b'  and  set  A  *—  b. 

Bill  also  does  two  types  of  operations: 

Bl.  Send  an  acknowledgment  'B'. 

B2.  Receive  message  Mj,  and  optionally  store  it;  then  set  B  to  any  value  6  >  B 
such  that  messages  Mq  M\  . . .  M(,_i  have  been  received  and  stored. 

Here  A:  is  a  constant  representing  the  size  of  some  internal  buffer  storage  maintained  by 
Alice.  We  shall  assume  as  in  [l]  that  the  “send”  operation  either  inserts  an  item  at  the  rear 
of  a  queue,  or  it  causes  nothing  at  all  to  happen;  the  latter  event  accounts  for  transmission 
errors,  since  a  garbled  message  or  a  garbled  acknowledgment  will  be  treated  as  if  it  has 
not  arrived  at  all.  According  to  this  convention,  the  sender  does  not  know  whether  the 
sent  item  has  been  put  into  the  queue  or  not.  The  “receive”  operation  is  performed  only 
when  the  queue  is  nonempty;  in  such  a  case  the  receiver  reads  and  deletes  the  item  at  the 
front  of  the  queue. 
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Thus  there  are  two  queues,  one  containing  messages  and  the  other  containing  acknowl¬ 
edgments.  The  only  essential  diffeience  between  the  above  conventions  and  those  of  [1] 
is  that  we  assume  as  in  [2]  that  each  message  Mj  in  the  message  queue  specifies  its  own 
integer  index  j,  and  each  acknowledgment  in  the  acknowledgment  queue  specifies  an  in¬ 
teger  6,  where  j  and  b  can  be  arbitrarily  large.  After  this  simple  but  unrealistic  model  has 
been  examined,  it  will  be  clear  that  only  a  limited  amount  of  information  about  j  and  b 
need  actually  be  &ent. 

The  particular  order  in  which  Alice  and  Bill  decide  to  perform  operations  Al,  A2, 
Bl,  and  B2  is  immaterial  to  us,  and  so  are  the  particular  choices  of  optional  actions  in 
steps  Al  and  B2.  Our  goal  is  to  derive  facts  about  any  scheme  that  is  based  on  these  four 
operations;  it  is  in  this  sense  that  we  are  st  ■  ing  a  “protocol  skeleton”  for  a  large  class 
of  conceivable  protocols.  The  facts  we  shall  <  .  ve  are  expr 

remain  invariant  under  all  four  operations  Al,  A2,  Bl,  B2. 

2.  Invariants. 

The  first  invariant  relation  we  shall  prove  is 
Lemma  1.  Let  the  contents  of  the  acknowledgment  queue 

bi  ...br 

from  the  front  to  the  rear,  where  r  >  0.  Then 

A  <  bi  <  ■■  ■  <  br  <  B . 

Proof.  This  condition  holds  initially,  when  A  =  B  —  r  =  0,  and  it  ic  unaffected  by 
operation  Al.  Operation  A2  is  performed  only  when  r  >  0,  and  it  replaces  (A, bx  . .  .br)  by 
(hi,h2 . .  .br);  operation  Bl  either  does  nothing  or  replaces  bi  ...br,B)  by  (hi  ...bTB,B)\ 
and  operation  B2  has  no  effect  except  possibly  to  increase  B.  Thus  the  stated  relation 
remains  invariant.  | 

As  a  corollary  of  Lemma  1,  we  conclude  that  variable  A  never  decreases  during  the 
course  of  a  computation,  since  it  changes  only  during  A2.  Notice  that  the  invariant  in 
Lemma  1  expresses  a  joint  property  of  the  entire  communication  system;  although  Alice 
does  not  know  the  value  of  B  and  Bill  does  not  know  the  value  of  A,  and  although  neither 
knows  the  contents  of  the  queue,  they  can  be  sure  that  the  unknown  quantities  satisfy  the 
invariant  relation.  The  introduction  of  system-wide  invariants  like  this  is  one  of  the  main 
features  of  Krogdahl's  treatment. 


Lemma  2.  Let  the  contents  of  the  message  queue  be 

Mj1 . . .  Mjr 

from  the  front  to  the  rear,  where  r  >  0,  and  let  jma,x  be  the  maximum  index  of  any 
message  that  has  ever  been  removed  from  the  message  queue.  (If  nothing  has  ever  been 
removed ,  let  jmax  =  0.)  Let  jQ  =  j'max  and  jT+1  —  A;  then 

ji  <  ji>  k  for  0  <  *  <  i'  <  r  +  1 . 

Proof.  Initially  r  =  0,  so  there  is  nothing  to  prove.  Operation  A1  either  does 
nothing  or  replaces  j\...jT  by  j\...jrj  for  some  A  <  j  <  A  -f  k;  this  leaves  the 
stated  relation  invariant  (we  must  consider  two  new  cases,  namely  ji  =  j  and  jv  =  j). 
Operation  A2  does  not  decrease  A,  as  we  have  already  observed,  and  operation  Bl  changes 
nothing.  Operation  B2  is  performed  only  when  r  >  0,  and  it  replaces  (jm*x,ji  . .  jr)  by 
(max(jmax,  ji),  ]2  . .  .jr);  again  the  relation  remains  invariant.  | 

3.  Consequences. 

The  comparatively  simple  invariants  proved  in  Lemmas  1  and  2  lead  immediately  to 
our  main  result: 

Theorem.  If  Mj  is  in  the  message  queue,  we  have 

B-k  <j  <  B  +  k. 

If  b  is  in  the  acknowledgment  queue,  we  have 

A<b<A  +  k. 

Proof.  We  know  from  Lemma  2  that  j  <  A  -f-  k  and  from  Lemma  l  that  A  <  B, 
hence  j  <  B  -f-  k.  Furthermore  B  —  1  <  ;niax ,  where  j,nax  is  defined  in  Lemma  2, 
because  messages  Mo  Mj  . . .  Mb  —  i  have  all  been  removed  from  the  message  queue;  hence 
B  —  I  <  j  -f  k  and  B  —  1  <  A  -|-  fc  by  Lemma  2.  This  completes  the  proof,  since  b  <  B 
by  Lemma  1.  | 

The  theorem  tells  us  that  only  a  limited  amount  of  information  about  j  needs  to 
appear  in  the  message  queue,  and  only  a  limited  amount  about  b  needs  to  appear  in  the 
acknowledgment  queue.  Let  us  consider  b  first:  If  mi  is  any  fixed  integer  >  k,  it  suffices 
to  send  the  remainder  B  mod  mi  instead  of  the  arbitrarily  large  integer  B  in  step  Bl,  since 
Alice  will  be  able  to  construct  the  full  acknowledgment  6  from  the  ’emainder  6  mod 


received  in  step  A2,  given  the  fact  that  A  <  b  <  A-\-  k.  Indeed,  the  operation  A «—  b  is 
simply  replaced  by 

A  «—  A  -j-  (b1  —  A)  mod  m i 

where  b'  =  6  mod  m  i  is  the  acknowledgment  that  was  received. 

Let  us  suppose  that  Bill  will  store  a  message  Aj  that  he  receives  in  operation  B2  only 
if  B  <  j  <  9  /,  where  l  represents  a  fixed  amount  of  buffer  storage.  There  is  of  cc  irse 

no  point  in  storing  Mj  when  j  <  B,  since  all  such  message  have  already  been  stored.  We 
might  as  wel:  assume  that  l  <  k,  because  j  will  always  be  less  than  B  -f-  k.  In  this  case  it 
suffices  to  se  id  only  the  remainder  j  mod  m 2  as  an  identification  number  for  My,  instead 
of  the  full  integer  j ,  provided  that  m2  >  k  -f-  Z .  For  we  know  that  the  index  j  received 
by  Bill  in  B2  must  satisfy  B  —  k  <  j  <  B  k\  the  values  of  jmod  m?  in  the  range 
B  <  j  <  B  -j-  /  are  distinct,  and  they  are  disjoint  from  the  values  of  j  mod  m2  in  the 
range  B  —  A  <  j  <.BorB-\-l<j<B-\-k.  The  fact  that  ( B  -j-  /)mod  m2  might 
coincide  with  ( B  —  A:)  mod  rn 2  does  not  matter;  Bill  would  not  store  such  a  message  in 
either  case,  and  he  doesn’t  care  about  the  precise  value  of  j  when  the  message  isn’t  being 
stored  since  ?uch  messages  might  as  well  have  been  dropped. 

Krogdal  l’s  paper  (1]  essentially  discusses  the  case  l  =  1  and  mi  =  m2  =  k  1 
in  detail;  he  also  gives  a  sketch  of  the  case  l  =  k,  rrii  =  m2  =  2k  without  proof.  The 
argument  ab  >ve  is  not  only  simpler  and  more  general,  it  shows  that  the  modulo  mt  =  Ar+l 
and  m2  =  2.:  are  sufficient  when  l  —  k. 

4.  Generalisation. 

Krogdahl  conjectured  that  the  theory  can  be  extended  to  the  case  where  the  queues 
do  not  quite  operate  in  a  firsLin-first-out  manner.  It  is  clear  that  we  cannot  avoid  sending 
the  full  integer  j  or  b  when  the  queuing  discipline  allows  the  deletion  of  items  in  arbitrary 
order,  since  ‘  mall  values  might  remain  in  the  queue  until  they  coexist  with  large  ones.  Let 
us  suppose,  however,  that  if  entries  are  inserted  in  the  order  x\  x2  x3 . . .  and  deleted  in 
the  order  zp(i)  *P(2)  xp(z)  ■  ■  •  >  ^en  P(l)  p( 2)  p( 3) ...  is  a  permutation  of  the  positive  integers 
such  that  we  have  |p(i)  —  zj  <  q  for  all  z.  Furthermore  the  p(z)  must  be  consistent  with 
the  actual  sequence  of  insertions  and  deletions  made  to  the  queue,  in  the  sense  that  at 
least  p(z)  elements  must  have  been  inserted  at  the  time  of  the  zth  deletion.  How  does  our 
previous  analysis  of  the  case  q  =  0  extend  to  this  more  general  situation? 

In  the  first  place  it  is  clear  that  the  assignment  at  the  end  of  operation  A2  should  be 
replaced  by 

A «—  max(A,  b) 

it  this  more  general  setting,  otherwise  the  monotone  growth  of  A  would  be  destroyed. 


tlefere  considering  the  general  protocol  problem  in  detail,  it  is  useful  to  study  the 
general  queuing  discipline  more  carefully.  If  i  <  i'  and  p(i)  >  p(t'),  let  us  say  that 
element  ip(j)  “passes”  element  xp(i>),  since  it  was  inserted  later  but  deleted  earlier. 

Lemma  3.  A  permutation  p(l)p(2)p(3) . . .  of  the  positive  integers  satisfies  the  condition 
p(i )  >  i  —  q  for  all  i  if  and  only  if  no  element  of  the  corresponding  queuing  discipline  is 
passed  by  more  than  q  other  elements.  It  satisfies  the  condition  p(i)  <  i  -f-  q  for  all  t  if 
and  only  if  no  element  of  the  corresponding  queuing  discipline  passes  more  than  q  other 
elements. 

Proof.  If  p(i)  >  * — q  for  all  i,  then  p(i')  >  i — q  for  all  i'  >  i;  but  p  is  a  permutation, 
so  at  least  i  —  q  of  the  indices  i'  <  i  have  p{i')  <  i  —  q.  This  leaves  at  most  q  indices 
i'  <  i  that  could  have  p(i')  >  p(i);  so  xp^  is  not  passed  by  more  than  q  other  elements. 
Conversely,  if  p(i)  <  i— q  for  some  i,  then  at  most  p(i)  —  1  indices  i'  <  i  have  p(i')  <  p(i), 
so  at  least  i  —  p(i)  indices  i'  <  i  have  p(t')  >  p[i);  in  other  words,  at  least  q 1  elements 
pass  £p(,)<  The  second  half  of  the  lemma  follows  from  the  first  half,  if  we  replace  p  by  the 
inverse  permutation.  | 

As  long  as  we  are  generalizing  the  case  q  =  0,  we  might  as  well  generalize  further  by 
supposing  that  the  queuing  discipline  satisfies 

i  —  q<  p(i)  <  i  -f  q' 

for  all  i.  Here  q  =  0  if  and  only  if  q'  =  0,  but  each  pair  of  positive  integers  (q,  q')  defines  a 
different  queuing  discipline.  We  shall  assume  that  the  acknowledgment  queue  satisfies  such 
a  discipline  with  parameters  <71  and  q'l ,  while  the  message  queue  satisfies  such  a  discipline 
with  parameters  <72  and  q'2. 

Let  bi  62  63 . . .  be  the  entries  that  are  inserted  into  the  acknowledgment  queue,  and 
let  j  1  ia  33  ■  •  ■  be  the  indices  of  the  messages  inserted  into  the  message  queue.  We  can  prove 
as  before  that  hi  <  &2  •  *  •  <  br,  B,  after  n  acknowledgments  have  been  inserted; 

that  ji  <  A  -f-  k  for  1  <  i  <  n,  af1  ■  messages  have  been  inserted;  and  that 

3x  <  ■  k  for  z  <  i  <  i' . 

It  follows  that  A  <  B  <.  A  +  k. 

We  can  now  show  that  all  entries  b  in  the  acknowledgment  queue  satisfy 

A  —  qxk  <  b  <  A  k . 

The  upper  bound  is  obvious,  because  b  <  B.  To  prove  the  lower  bound,  we  may  suppose 
that  b  <  A.  When  b  was  first  placed  into  the  queue,  we  had  b  —  B  >  A,  so  A  must  have 
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increased  since  then,  by  being  set  to  other  entries  read  from  the  queue.  Suppose  that  n 
of  these  other  entries  have  “passed”  b,  i.e.,  were  inserted  after  6;  only  the  entries  inserted 
after  b  can  have  a  value  >  b.  Before  the  first  such  entry  was  read  by  Alice,  we  had  b  >  A; 
afterwards  we  had  b  >  A  —  k,  because  A  cannot  increase  by  more  than  k  during  operation 
A2.  (All  entries  in  the  queue  at  that  time  are  <  B.)  By  induction  we  have  6  >  A  —  nk  if 
n  entries  have  passed  b,  but  Lemma  3  tells  us  that  n  <.  q i . 

Finally,  we  cau  prove  that  all  indices  j  iu  the  message  queue  satisfy 

B  —  k  —  q2  <  j  <  B  -f-  k . 

Again  the  upper  bound  is  obvious,  since  j  <  A -f-  k.  To  prove  the  lower  bound,  suppose 
that  n  message  indices  have  “passed”  j  in  the  queue;  all  other  indices  j'  read  by  Bill 
satisfy  j'  <  j  -f-  k  —  1.  Therefore  if  Bill  has  received  and  stored  messages  Mo  . .  ■  Mb— i, 
we  have  B —  1  <  j'-j -  k —  1  -f-n,  with  equality  only  if  the  n  messages  that  passed  My  were 
distinct  messages  whose  index  lies  in  the  interval  [j  -(-  k,  j  -f-  k  —  1  -f-  n].  By  Lemma  3, 
we  have  n  <  q2. 

It  is  not  difficult  to  verify  that  the  above  inequalities  on  b  and  j  are  best  possible, 
by  constructing  scenarios  in  which  the  extreme  values  occur.  As  before,  we  can  conclude 
that  it  suffices  to  transmit  only  the  residues  6  mod  m i  in  the  acknowledgment  queue  and 
j  mod  m2  in  the  message  queue,  where  mj  and  m2  are  any  integers  satisfying 

mi  >  {qi  +  1  )k, 
m2  >  k  -j-  l  -f  q2  ; 

we  assume  that  Bill  has  a  buffer  for  receiving  up  to  /  <  k  messages  whose  indices  lie  in 
{B,  B  +  1,  . . . ,  B  -(-  /  —  1}.  It  is  curious  that  q\  and  q'2  do  not  enter  into  these  formulas. 

The  protocol  of  Stenning  [2]  requires  that  at  least  one  acknowledgment  be  transmitted 
per  message  received;  in  this  special  case  the  bound  mi  >  k  -j-  f  qi  is  necessary  and 
sufficient,  where  q i  is  the  maximum  number  of  other  acknowledgments  that  can  be  sent 
and  received  between  the  transmission  and  receipt  of  any  particular  acknowledgment. 

In  practice,  Alice  is  a  system  program  that  receives  messages  sequentially  from  some 
user,  and  Bill  is  a  system  program  that  delivers  messages  sequentially  to  another  user. 
Therefore,  as  Krogdahl  has  observed,  the  variables  A  and  B  need  not  be  explicitly  main¬ 
tained;  only  their  values  modulo  a  common  multiple  of  mi  and  m2  are  needed. 
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